New Hacking Team Spyware Samples Detected: ESET

New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.

Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.

Not only did the incident expose Hacking Team’s activities and force it to ask customers to suspend all use of RCS, but it also resulted in various actors using the leaked code and exploits as part of their own malicious operations.

Following the data breach, the Hacking Team was facing an uncertain future, but the first reports of it resuming activity came only half a year later, when a new sample of the firm’s Mac spyware apparently emerged. In the meantime, the firm has received an investment by a company named Tablem Limited, which is officially based in Cyprus but appears to have ties to Saudi Arabia.

Hacking Team’s top product, RCS, is a tool that packs all the functionality one would expect from a backdoor: it is capable of extracting files from a targeted device, intercepting emails and instant messaging, and remotely activating the webcam and microphone.

The newly discovered RCS samples, ESET says, were compiled between September 2015 and October 2017 and can be traced to a single group, rather than being built by various actors from the leaked source code. Furthermore, they have been signed with a previously unseen valid digital certificate, issued by Thawte to a company named Ziber Ltd.

The new variants include forged Manifest metadata to masquerade as a legitimate application and their author used VMProtect in an attempt to add detection evasion to them, a feature “common among pre-leak Hacking Team spyware,” ESET points out.

What suggests that these samples might have been built by the Hacking Team developers themselves includes the versioning, which continues from where Hacking Team left off before the breach and which follows the same patterns. ESET also discovered that changes introduced in the post-leak updates fall in line with Hacking Team’s coding style and show deep familiarity with the code.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code,” the security company says.

The researchers also discovered a subtle difference in Startup file size. In the samples before the leak, the file copy operation was padded to 4MB, while in the post-leak variants it is padded to 6MB.

The spyware’s capabilities remained the same, with no significant update released to date, although the firm said after the leak that it would push a new solution. In two different cases, the observed distribution vector was an executable file disguised as a PDF document and sent to the victim via a spear-phishing email.

“Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016,” ESET says.

The security firm claims the new Hacking Team spyware samples have been already detected in fourteen countries, but decided not to disclose the names of those countries. Furthermore, the company kept other newly uncovered details secret, to prevent interference with the future tracking of the group.